Hi everyone I have problem width the update reply. I check the total acctinputocted for the user and flag the Mikrotik-Xmit-Limit attribute. When I set the ip address for the module my pppoe user on mikrotik get this ip address successfuly but when I use the framed-pool and set the ip-pool name in mikrotik the clinet can not get the ip from the ip-pool. please help me to fix this problem On Tue, May 23, 2017 at 1:41 AM, < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. is there a way to identify the very first ACCESS-REQUEST (Michael Hocke) 2. Re: is there a way to identify the very first ACCESS-REQUEST (Matthew Newton) 3. Re: Freeradius Multiple Disjoint Ad Domains (Arnab Roy) 4. Re: is there a way to identify the very first ACCESS-REQUEST (Michael Hocke) 5. Re: is there a way to identify the very first ACCESS-REQUEST (Matthew Newton) 6. Re: is there a way to identify the very first ACCESS-REQUEST (Michael Hocke) 7. Re: Freeradius with multiotp - but otp-pin is in username (blaster@vorsicht-bissig.de)
----------------------------------------------------------------------
Message: 1 Date: Mon, 22 May 2017 13:04:59 -0400 From: Michael Hocke <mh103@nyu.edu> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: is there a way to identify the very first ACCESS-REQUEST Message-ID: <D71F1F39-81F6-4417-8782-FCC16E6A82A8@nyu.edu> Content-Type: text/plain; charset=us-ascii
Hi there,
I want to improve our logging and want to keep track of authentication attempts that do not complete. I was thinking of logging the very first ACCESS-REQUEST and then later on the result. Is there a good way to identify the very first ACCESS-REQUEST from the client with unlang? Maybe by checking the contents of the session-state list or some such? Any ideas?
Thanks!
- Michael
------------------------------
Message: 2 Date: Mon, 22 May 2017 19:20:52 +0100 From: Matthew Newton <matthew@newtoncomputing.co.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: is there a way to identify the very first ACCESS-REQUEST Message-ID: <20170522182052.GA7565@elk.newtoncomputing.co.uk> Content-Type: text/plain; charset=us-ascii
On Mon, May 22, 2017 at 01:04:59PM -0400, Michael Hocke wrote:
I want to improve our logging and want to keep track of authentication attempts that do not complete. I was thinking of logging the very first ACCESS-REQUEST and then later on the result. Is there a good way to identify the very first ACCESS-REQUEST from the client with unlang? Maybe by checking the contents of the session-state list or some such? Any ideas?
I look to see if it's an EAP identity. Which works OK if you're doing EAP.
if (&EAP-Message =~ /^0x02......01/) { detail } eap
-- Matthew
------------------------------
Message: 3 Date: Mon, 22 May 2017 21:09:58 +0200 From: "Arnab Roy" <arnabroy@mail.com> To: freeradius-users@lists.freeradius.org, "Matthew Newton" <mcn4@leicester.ac.uk> Subject: Re: Freeradius Multiple Disjoint Ad Domains Message-ID: <trinity-82f81d62-20d5-41b0-964a-3ed7ccdc55aa- 1495480198798@3capp-mailcom-lxa14>
Content-Type: text/plain; charset="UTF-8"
Hi Matthew,
Sorry I am back with this one. After digging through tons of samba source I have finally managed to reach a stage where Winbind is now running completely separately so just need to sort out ntlm_auth. Looking through the source code I stumbled upon the following file in nsswitch and saw your name as the author :) hope its the same Matthew :)
nsswitch/wb_common.c
Now previously it seems like it was possible to set the Winbind Socket directory via an environment variable ( http://samba.2283325.n4.nabble.com/NTLM-Authentication-against-multiple -domain-comtrollers-td3024825.html )
This seems to have gone now looking at the code
static const char *winbindd_socket_dir(void) { if (nss_wrapper_enabled()) { const char *env_dir; env_dir = getenv("SELFTEST_WINBINDD_SOCKET_DIR"); if (env_dir != NULL) { return env_dir; } } return WINBINDD_SOCKET_DIR; }
Can you see any issues if I changed this to return a custom environment variable instead ? Also from a FR perspective I am considering chrooting ntlm_auth ?
Your help is much appreciated.
Many Thanks Arnab
The problem seems to be ntlm_auth doesnt see that the winbindd privileged pipe and winbindd socket is running in a custom directory. IIRC ntlm_auth connects to winbindd using the /tmp/.winbindd/pipe pipe, and then queries winbindd over that pipe what the location of the priv pipe is. So if you've got two winbindds both with /tmp/.winbindd/pipe, only one of those is going to work. Assuming the two copies of Samba were compiled with different locations then it might work. I'd be inclined to strace all the things and see what's really happening. I'd expect that if you built Samba and installed in /opt/samba1/ and /opt/samba2/ and then ran /opt/samba1/ntlm_auth and /opt/samba2/ntlm_auth that the locations would probably be separate and all would be OK. But running two copies of Samba on the same box is hardly a standard setup, so you're likely to be on your own. Or you could just proxy the RADIUS request to a separate VM with another instance of Samba on it and save the unusual setup. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Sent: Monday, May 22, 2017 at 12:37 PM From: "Matthew Newton" <mcn4@leicester.ac.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: Freeradius Multiple Disjoint Ad Domains On Mon, May 22, 2017 at 01:27:53PM +0200, Arnab Roy wrote: - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html
References
1. http://www.freeradius.org/list/users.html
------------------------------
Message: 4 Date: Mon, 22 May 2017 15:32:00 -0400 From: Michael Hocke <mh103@nyu.edu> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: is there a way to identify the very first ACCESS-REQUEST Message-ID: <7D716BE5-D12E-4512-9BC0-480DFFE36E8C@nyu.edu> Content-Type: text/plain; charset=utf-8
On May 22, 2017, at 2:20 PM, Matthew Newton < matthew@newtoncomputing.co.uk> wrote:
On Mon, May 22, 2017 at 01:04:59PM -0400, Michael Hocke wrote:
I want to improve our logging and want to keep track of authentication attempts that do not complete. I was thinking of logging the very first ACCESS-REQUEST and then later on the result. Is there a good way to identify the very first ACCESS-REQUEST from the client with unlang? Maybe by checking the contents of the session-state list or some such? Any ideas?
I look to see if it's an EAP identity. Which works OK if you're doing EAP.
if (&EAP-Message =~ /^0x02......01/) { detail } eap
That looks good. I’ll give it a try. Follow-up question: is there a way to get a hold of the request number from within unlang? I don’t think I see it anywhere in the source code but I want to ask anyway. If not, is this something planned for a future release or is there a better way to correlate different log lines to the same request?
Thanks again!
- Michael
------------------------------
Message: 5 Date: Mon, 22 May 2017 20:49:43 +0100 From: Matthew Newton <matthew@newtoncomputing.co.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: is there a way to identify the very first ACCESS-REQUEST Message-ID: <9A9A26CD-35F6-4FA8-9A42-A8BA75D37D64@newtoncomputing.co.uk> Content-Type: text/plain; charset=utf-8
On 22 May 2017 20:32:00 BST, Michael Hocke <mh103@nyu.edu> wrote:
That looks good. I’ll give it a try. Follow-up question: is there a way to get a hold of the request number from within unlang? I don’t think I see it anywhere in the source code but I want to ask anyway.
http://wiki.freeradius.org/config/run_time_variables
%n, in v3 onwards.
-- Matthew
------------------------------
Message: 6 Date: Mon, 22 May 2017 16:00:18 -0400 From: Michael Hocke <mh103@nyu.edu> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: is there a way to identify the very first ACCESS-REQUEST Message-ID: <1ECD6BA4-C805-450E-8241-49C446CCB483@nyu.edu> Content-Type: text/plain; charset=utf-8
On May 22, 2017, at 3:49 PM, Matthew Newton < matthew@newtoncomputing.co.uk> wrote:
On 22 May 2017 20:32:00 BST, Michael Hocke <mh103@nyu.edu> wrote:
That looks good. I’ll give it a try. Follow-up question: is there a way to get a hold of the request number from within unlang? I don’t think I see it anywhere in the source code but I want to ask anyway.
http://wiki.freeradius.org/config/run_time_variables
%n, in v3 onwards.
Awesome. Thank you very much.
- Michael
------------------------------
Message: 7 Date: Tue, 23 May 2017 00:41:36 +0200 From: blaster@vorsicht-bissig.de To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius with multiotp - but otp-pin is in username Message-ID: <0fef0540-59bd-4b62-bd6f-adb1b1856e27@gmx.at> Content-Type: text/plain; charset=utf-8; format=flowed
Hello,
I put the policy on the top of the authorize section and it works as intendet. Thank you very much, Alan DeKok for your advice!
Best regards Gerald
On 22.05.2017 14:30, Alan DeKok wrote:
On May 21, 2017, at 6:53 PM, blaster@vorsicht-bissig.de wrote:
i'm trying to setup FreeRADIUS Version 3.0.13 with multiotp BUT I want to enter the information like this: "{Username}:{OTP-PIN}" ==> f.e. "dani:955825" (username in users file) "{Password}" ==> f.e. "blabla" (password in users file) That's a little unusual, but it should work, mostly.
But most people appoint the OTP to the password, not to the User-Name.
I think this could be a way, to get some devices to work with 2 factor, which are not build for it. I successfully get an ok from multiotp, by regex'ing "{OTP-PIN}" from "{Username}:{OTP-PIN}", but PAP is failing, because I can't get PAP to look for "{Username}" (f.e. "dani"). It always tries to look for "{Username}:{OTP-PIN}" (f.e. "dani:955825") in the authentication-section. Because the default configuration looks up users by the contents of the User-Name attribute.
Sine you've modified the User-Name to contain the OTP key, that won't work.
It would be nice if you could point me in the right direction. My apologies, if this question was already asked, and I didn't find it. Best regards Gerald remark - begin ------------ I successfully did it with "{Username} " ==> f.e. "dani" (username in users file) "{Password}{OTP-PIN}" ==> f.e. "blabla955825" (password in users file) Which is what most people use.
But I think the "{Username}" "{Password}{OTP-PIN}" way, fails when it comes to MSCHAP (with ActiveDirectory), because Freeradius compares only password hashes and not plaintext, so it can't recongnise what's the OTP-PIN and what's the password. Yes.
-------------- remark - end /usr/local/etc/raddb/users #### "dani" Cleartext-Password := "blabla", MS-CHAP-Use-NTLM-Auth := 0 #### /usr/local/etc/dictionary #### ATTRIBUTE User-OTP 3000 string You don't need that.
ATTRIBUTE User-Password-TMP 3001 string #### /usr/local/etc/raddb# cat policy.d/pol_usernamemultiotp ##### pol_usernamemultiotp.authorize { if ( &User-Name =~ /^(.*)(\:)([0-9]{6})$/) { update request { User-Password-TMP := "%{User-Password}" User-OTP := "%{3}" User-Password := "%{User-OTP}" This isn't necessary.
User-Name := "%{1}"
You probably shouldn't re-write the User-Name. Leave it alone.
Stripped-User-Name := "%{1}"
If Stripped-User-Name exists, the server uses it for lookups instead of User-Name. So all you need to do is set Stripped-User-Name correctly.
##### radiusd -X output - begin Reading it carefully helps... the messages are useful.
##### Ready to process requests (0) Received Access-Request Id 192 from 127.0.0.1:56491 to 127.0.0.1:1842 length 81 (0) User-Name = "dani:955825" (0) User-Password = "blabla" (0) NAS-IP-Address = 127.0.0.1 (0) NAS-Port = 100 (0) Message-Authenticator = 0x0cc5e28430dea113b6b4fde2d1537388 That's the Access-Request...
(0) custom_otp: Searching for user in group "vlan10" rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): You probably need to lower "min" Pay attention to those messages. Either increase "idle_timeout", or lower "min".
(0) custom_otp: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (0) custom_otp: --> (samaccountname=dani:955825) (0) custom_otp: Search returned no results Note that it's looking up the User-Name attribute. i.e. the name *before* any edits.
rlm_ldap (ldap): Released connection (6) (0) [ldap] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) policy pol_usernamemultiotp.authorize { And AFTER you look up User-Name (the one with the OTP), you run the policy to fix the User-Name.
i.e. you have this reversed.
The solution is to put the re-write at the TOP of the "authorize" section. That way, the Stripped-User-Name attribute is seen by all modules.
And the policy you created is too complicated. Just do this:
if ( &User-Name =~ /^(.*):([0-9]{6})$/) { update request { Stripped-User-Name := "%{1}" User-OTP := "%{2}" } }
i..e. you don't need a "tmp" password. You don't need to re-write the password. You don't need to match (:) in the regex. Just matching : is good enough.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 145, Issue 48 *************************************************